Milton, Florida, said a Dec. 26 incident resembled ransomware months after network-related disruptions delayed utility bills, paused automatic payments and affected online payments into the spring.
The city’s June disclosure put a suspected-ransomware timeline behind a disruption residents had spent weeks seeing described as network repairs, a network outage or a system outage. Milton is a city of about 11,400 residents northeast of Pensacola and serves as the Santa Rosa County seat.
Milton said it detected suspicious activity consistent with a ransomware attack on Dec. 26, 2025, and immediately took steps to secure its network, according to a June 25 report by WEAR. The city said City Council and appropriate authorities were notified, and that state and federal law enforcement agencies, cybersecurity experts and legal counsel provided through the city’s insurance providers led the investigation.
The city said investigators found “no indication” any city information was accessed, acquired, copied, leaked, posted publicly or otherwise taken. It also said it followed applicable notification and reporting requirements under Florida law and implemented additional security upgrades.
But Milton’s earlier public notices did not describe the event as ransomware or a cybersecurity incident. A Dec. 26 city Facebook post reviewed by DysruptionHub said Milton’s Finance Department would close at 1 p.m. and told residents online bill pay remained available. The post did not cite a cause, but it came the same day Milton later said suspicious activity was detected.
The city’s first utility-billing notice found by DysruptionHub came Jan. 16, when Milton said January utility bills had not been issued because of network repairs and that some customers had not received December bills by mail. The city told customers they could pay the same amount as their most recent bill and said no January shutoffs or late fees would occur.
On Feb. 6, Milton said a “recent network outage affecting City of Milton utility billing services” had been resolved and that bills would begin going out the following week. The city said December and January balances would be combined on upcoming statements, no late fees would be charged in connection with the disruption, no shutoffs would occur at that time and automatic payments had been paused during the outage.
The city also said some customers temporarily saw a $0 balance in online accounts because of a display error. In a Facebook reply to a customer that month, the city said the balance could still display as $0 and might not show a January statement.
On Feb. 25, Milton said utility billing had resumed after a system outage delayed mailed bills “in recent months,” causing some customers to receive bills with multiple billing cycles at once. The city said it would not charge late fees for December, January, February or March, and that customers who established payment plans would not have utilities disconnected.
The billing problems continued into the spring. On March 31, the city said online utility payments were back up and running after what it labeled an online payment outage. On May 1, Milton said utility billing operations had been fully restored after the recent service disruption and that shutoffs would resume the following week for accounts with outstanding balances.
A listing attributed to the Lynx ransomware group appeared Jan. 5 for miltonfl.org, the city’s official website domain. DysruptionHub reviewed the listing and did not find sample files or a public tranche of allegedly stolen city data attached to it. The listing reflects the group’s claim, not confirmation from Milton, and the city later said investigators found no indication city information was accessed, copied, leaked, posted publicly or taken.
Milton said City Council was notified after the Dec. 26 activity was detected, but DysruptionHub reviewed available City Council minutes and did not find a public reference to the suspected ransomware incident, the network response or the utility billing outage. It was not immediately clear whether council members were briefed outside a public meeting, through counsel or in another confidential setting.
Chip in once
If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone.
The city also cited Section 119.0725, Florida Statutes, in saying records associated with a cybersecurity incident are confidential and exempt from public disclosure. The statute creates public records and public meetings exemptions for certain agency cybersecurity information, including information about cybersecurity incidents, leaving unclear what records, if any, Milton would release about its response. It also was not clear whether the city’s June statement was issued proactively, in response to media questions or after another inquiry.
DysruptionHub asked Milton when it first determined the Dec. 26 activity was cybersecurity-related or consistent with ransomware, why it waited until June to publicly describe the incident that way, whether the billing disruption was connected, what systems were affected and whether the city investigated the Lynx listing. The city did not respond before publication.
The disclosure gap echoes Cocoa, Florida, where officials described February IT disruptions as “technical issues” while an INCRansom leak-site claim circulated. Cocoa declared an emergency, said 911 and dispatch remained operating and used backup processes for city services, but did not publicly confirm ransomware in the official notices reviewed by DysruptionHub.
Milton says no city information was taken and that security upgrades were made, but it has not publicly explained why the suspected-ransomware characterization came months after network-related disruptions affected utility billing and payments into May.
